An intrusion detection system (IDS for short) is a network security device or a software application, which can monitor data moving across the network instantly, and can alert or take an active response when find suspicious data.
A kernel function of the IDS is intrusion detection technology. The intrusion detection technology is to find malicious activity or policy violations in the network. At the same time, the intrusion detection technology is widely applied in an intrusion prevention system (IPS for short), a next generation firewall (NGFW for short), or other network security products.
In the related art, the intrusion detection technology mainly includes simple pattern matching, state pattern matching, a signature based on protocol decoding, a heuristic signature, and the like. A common feature of these technologies is to understand attacks in advance and to develop a specific signature for each kind of attack. The intrusion detection technology is to perform signature matching on data flow (or network flow, traffic flow, or packet flow) efficiently. Therefore, there are two obvious defections in the related art. One is lack of an ability to prevent unknown attacks, and the other one is lack of a normalization ability of known attack identification so that it is easy to bypass the detection for hacker by changing attack details and flows of known attacks.